lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 23 Apr 2018 12:17:55 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Martijn Coenen <maco@...roid.com>
Cc:     Eric Biggers <ebiggers3@...il.com>,
        Arve Hjønnevåg <arve@...roid.com>,
        "open list:ANDROID DRIVERS" <devel@...verdev.osuosl.org>,
        Greg KH <gregkh@...uxfoundation.org>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Todd Kjos <tkjos@...roid.com>,
        syzbot <syzbot+0cf1f1aa154f56ff2e8d@...kaller.appspotmail.com>
Subject: Re: KASAN: use-after-free Read in binder_release_work

On Mon, Apr 23, 2018 at 12:00 PM, Martijn Coenen <maco@...roid.com> wrote:
> On Mon, Apr 23, 2018 at 11:49 AM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
>> Since it's already in Greg's queue, it's not worth bothering. We can
>> fix up things here with these "#syz fix" tags in emails, which
>> associate fixes with bugs.
>
> I meant, when I sent the original patch a month or so ago, could
> syzbot have replied saying "The reported-by tag you used belongs to a
> bug that was already marked as closed by this other commit?".

syzbot does not extract this info from patch emails.
First of all, it's not possible to discover them all.
Second, a mailed patch does not mean committed patch. v2 can be resent
and potentially change title too.

syzbot takes this info from commits in the tree it tests. It probably
could extract some emails from the commit. But they can come months
later, so their value will be questionable. Also consider that 2
commits in different trees mention the same bug. syzbot generally
overwrites old info with new info, because that's the only way to fix
up things. Now this can lead to infinite stream of emails saying that
this commit fixes this bug, no that commit fixes this bug, no this
commit fixes this bug, etc.
Also consider that a bug is first marked as fixed with some commit,
bug later is marked as dup of another or re-marked as fixed with
another commit. You won't get a notification, because the whole
sequence looks reasonable.
This can also lead to problems when commits backported to
android/chromeos trees that syzbot also tests. There these fix tags
look plain bogus because they reference upstream bug, not
android/chromeos bugs.

By default we try to keep syzbot silent and non-spammy. And we do not
seem to have lots of such cases where things are somewhat messed. And
in all cases it should come to eventual consistency. If something is
marked as fixed prematurely, syzbot will open another bug. If
something is not marked as fixed (or marked as fixed with a
non-existent commit), then these bugs still hang on the dashboard and
visible.


>>> Thanks,
>>> Martijn
>>>
>>>> Now syzbot already skips list_del frame and takes the next one, so it
>>>> should become slightly better.
>>>>
>>>> Let's close this one with the binder fix (since that one was closed
>>>> with an rdma fix):
>>>>
>>>> #syz fix: ANDROID: binder: prevent transactions into own process.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ